Forged requests flaw leads to six-figure payout

Apple awarded $100k bug bounty to a researcher

UPDATED A security researcher has scored a $100,000 bug bounty after uncovering flaws in the ‘Sign in with Apple’ authentication technology.

Apple’s authentication feature is used by third-party applications as a login mechanism. Users can sign into accounts such as Dropbox, Spotify, Airbnb, and others through their Apple ID, avoiding the need to set up yet another login and password combination.

Security researcher Bhavuk Jain discovered that this mechanism is flawed, such that it was possible for an attacker to hijack user accounts with web properties that relied on ‘Sign in with Apple’.

Jain demonstrated a flawed web authentication mechanism rather than a confirmed ability to take over accounts.

“These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user,” according to Jain.

Token security

‘Sign in with Apple’ uses either a JSON Web Token (JWT) or a code generated by the Apple server in order to authenticate app visitors.

Users have the option, while authorizing, of hiding their Apple Email ID. If the user decides to hide this ID, Apple generates its own user-specific Apple relay Email ID.

After successful authorization, Apple creates a JWT which contains this Email ID, a token subsequently used by the third-party app to log in a user.

Forging ahead

After examining the JWT payload, Jain figured out a way to forge this token, allowing him to hack into a targeted account, as explained in a technical blog post.

“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid,” Jain writes.

“This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”

“The impact of this vulnerability was quite critical as it could have allowed full account takeover,” he added.

“A lot of developers have integrated ‘Sign in with Apple’ since it is mandatory for applications that support other social logins.”

Read more of the latest bug bounty news

According to the security researcher, staff at Apple went through their logs and determined there was “no misuse or account compromise due to this vulnerability”.

Apple’s notification that all developers need to implement ‘Sign in with Apple’ in their apps if they are using some kind of social logins prompted Jain to examine the technology more closely, he told The Daily Swig.

“This led me to poke around ‘Sign in with Apple’ and to understand how it works,” he explained. “That’s when I found the vulnerability.”

Jain disagreed with the proposition that flaws like this, as well as recent shortcomings with Facebook's technology mean that consumers would do better to create their own login credentials for every account rather than rely on technologies such as OAuth.

“Bugs exist everywhere, and this kind of bug is rare," Jain told The Daily Swig. "I feel OAuth is still the best way users should authenticate with.

"It's fast, convenient and much better than using a password,” he added.

Jain concluded: “People tend to use the same passwords on different websites which therefore increases the risk if any of those websites gets compromised and the password is leaked."

This story was updated to add comment from Bhavuk Jain

READ MORE Google Cloud security find earns South American researcher $31k bug bounty payout